meta-openembedded and poky: subtree updates
Squash of the following due to dependencies among them
and OpenBMC changes:
meta-openembedded: subtree update:d0748372d2..9201611135
meta-openembedded: subtree update:9201611135..17fd382f34
poky: subtree update:9052e5b32a..2e11d97b6c
poky: subtree update:2e11d97b6c..a8544811d7
The change log was too large for the jenkins plugin
to handle therefore it has been removed. Here is
the first and last commit of each subtree:
meta-openembedded:d0748372d2
cppzmq: bump to version 4.6.0
meta-openembedded:17fd382f34
mpv: Remove X11 dependency
poky:9052e5b32a
package_ipk: Remove pointless comment to trigger rebuild
poky:a8544811d7
pbzip2: Fix license warning
Change-Id: If0fc6c37629642ee207a4ca2f7aa501a2c673cd6
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index 19ed554..2a530a0 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -52,11 +52,14 @@
"""
if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
- patched_cves = get_patches_cves(d)
- patched, unpatched = check_cves(d, patched_cves)
+ try:
+ patched_cves = get_patches_cves(d)
+ except FileNotFoundError:
+ bb.fatal("Failure in searching patches")
+ whitelisted, patched, unpatched = check_cves(d, patched_cves)
if patched or unpatched:
cve_data = get_cve_info(d, patched + unpatched)
- cve_write_data(d, patched, unpatched, cve_data)
+ cve_write_data(d, patched, unpatched, whitelisted, cve_data)
else:
bb.note("No CVE database found, skipping CVE check")
@@ -129,6 +132,10 @@
for url in src_patches(d):
patch_file = bb.fetch.decodeurl(url)[2]
+ if not os.path.isfile(patch_file):
+ bb.error("File Not found: %s" % patch_file)
+ raise FileNotFoundError
+
# Check patch file name for CVE ID
fname_match = cve_file_name_match.search(patch_file)
if fname_match:
@@ -172,13 +179,13 @@
products = d.getVar("CVE_PRODUCT").split()
# If this has been unset then we're not scanning for CVEs here (for example, image recipes)
if not products:
- return ([], [])
+ return ([], [], [])
pv = d.getVar("CVE_VERSION").split("+git")[0]
# If the recipe has been whitlisted we return empty lists
if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
bb.note("Recipe has been whitelisted, skipping check")
- return ([], [])
+ return ([], [], [])
old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST")
if old_cve_whitelist:
@@ -214,7 +221,7 @@
(_, _, _, version_start, operator_start, version_end, operator_end) = row
#bb.debug(2, "Evaluating row " + str(row))
- if (operator_start == '=' and pv == version_start):
+ if (operator_start == '=' and pv == version_start) or version_start == '-':
vulnerable = True
else:
if operator_start:
@@ -256,7 +263,7 @@
conn.close()
- return (list(patched_cves), cves_unpatched)
+ return (list(cve_whitelist), list(patched_cves), cves_unpatched)
def get_cve_info(d, cves):
"""
@@ -280,7 +287,7 @@
conn.close()
return cve_data
-def cve_write_data(d, patched, unpatched, cve_data):
+def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
"""
Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
CVE manifest if enabled.
@@ -296,7 +303,9 @@
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV")
write_string += "CVE: %s\n" % cve
- if cve in patched:
+ if cve in whitelisted:
+ write_string += "CVE STATUS: Whitelisted\n"
+ elif cve in patched:
write_string += "CVE STATUS: Patched\n"
else:
unpatched_cves.append(cve)